Exposure of confidential data via e-mail a very real risk for businesses

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itweb.co.za/index.php?option=com_content&view=article&id=134998:Exposure-of-confidential-data-via-e-mail-a-very-real-risk-for-

Surveys show that companies are becoming increasingly concerned about data
loss and exposure of confidential information through e-mail. And, rightly
so, says Richard Broeke, an IT security expert at Securicom. Research
indicates that at least 22% of companies have experienced an accidental or
malicious leak of sensitive or confidential information by employees
through email in the past 12 months.

Citing from research by Osterman Research, Richard Broeke, an IT security
expert at Securicom, says: "About one in five companies experience some
form of data loss through e-mail each year. While external threats cause
more pressure and receive more focus from IT departments from a security
point of view, 48% of respondents in Osterman Research's survey said that
employee accidents, non-malicious mishaps and deliberate data leakage also
put them under pressure.

"It is easy to understand why. Users can inadvertently send content that
violates data breach laws, such as sending sensitive content without
encryption, resulting in significant penalties, notification requirements,
sanctions and other consequences," he says.

There are various pieces of legislation that oblige businesses to protect
and appropriately manage sensitive information. Companies can be held
legally liable for non compliance. Legalities aside, e-mail abuse can have
a devastating effect on corporate reputation.

For the most part, leaks of sensitive information can be put down to
employee accidents. However, companies need to bear in mind the risk of a
disgruntled employee deliberately exposing or stealing confidential
information.

Latest headlines

These internal threats, whether by mistake or intentional, make email
content filtering a corporate priority – not only to prevent breaches of
confidentiality that could land the company in contravention of the
regulatory compliance regulations of its industry, but also to ensure that
email communication remains free of inappropriate material that could harm
an organisation's reputation, its relationships with its clients, suppliers
and employees.

Content filtering involves using technology to scan ingoing and outgoing
mails for malicious code and questionable material that doesn't meet a
company's acceptable use policy. E-mail content management systems have
evolved significantly in recent years and while there are those that only
serve for dedicated content filtering, others now possess a range of
capabilities including spam filtering, anti-virus and anti-phishing.

"Content management systems are a very powerful tool for enforcing email
usage policies and for monitoring and controlling the nature of information
flowing in and out of a corporate network. Systems can be configured
according to an organisation's specific rule-set, and any email that
over-steps the lines is immediately stopped," says Broeke.

While technology is the only way to effectively control how and for what
purpose employees utilise company resources like e-mail, education remains
paramount in preventing the compromise of company data.

"Companies need to educate their employees about using email responsibly
and be informed of risks like phishing and social engineering. All
companies also should have a comprehensive e-mail usage policy in place
which makes official the organisation's rules and restrictions on email
usage. Every employee should be aware of the rules, and understand that
there are consequences for the contravention thereof. An e-mail usage
policy offers businesses some protection from liability arising from a
breach of confidential information because the existence of an e-mail
policy is proof that the company had in fact taken steps to discourage and
prevent the inappropriate use of the company's email system.

"Implementing an email policy is particularly advised for businesses that
use, or intend to use, content filtering software to check the content of
their employees' e-mails. Employees would have to be made aware that their
e-mails are being monitored," advises Broeke.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!